In fact you could probably simplify the access list down to (which means shape everything not going to and from an internal IP address):

ip access-list extended Internet-Bandwidth
 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 permit ip any any

Thanks Giuseppe and Philip, your both suggestion worked, but i analyzed that when i apply shaping on sub-internet-face (int gig 0/0.8) and i try to copy some data from other vlan server, my Lan speed downgrades, like a 1.15GB file copies around 360Mbps to 390Mbps with shaping. if i remove it from sub-internet-face (int gig 0/0.8) same file copies 700Mbps to 750Mpbs. i think shaping is till effecting Lan bandwidth.....

What platform is this being done on?

Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 15.1(4)M8, RELEASE SOFTWARE (fc2)

Hmm.  I suspect we might be maxing out the CPU.  When you do the file copy does the CPU on the router hit 100%?  What does it get up to?

Have you got CEF enabled?

Yes Router CPU goes to 100%, i see "ip cef" in my running config.

The short answer is your platform does not have enough grunt to do PBR at these speeds.

You should do PBR on the circuit heading towards the Internet instead.  If you don't have such a layer 3 interface then you may need to create one.

actually my main goal is to restrict the internal user to 10Mbps link, and setup VOIP  QoS with remote office over the VPN. i have setup PBR. following is my config.

track 10 ip sla 1 reachability
delay down 1 up 1
!
track 20 ip sla 2 reachability
delay down 1 up 1

interface GigabitEthernet0/0.10
description Servers-&-Switches-Vlan
encapsulation dot1Q 10
ip address 192.168.10.3 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR

interface FastEthernet0/0/1
description "Fiber Link 30Mbps"
ip address 50.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly in

duplex auto

speed 100

interface FastEthernet0/1/0
description "Cable Link 12Mbps"
ip address 162.x.x.x 255.255.255.224
ip nat outside
ip virtual-reassembly in

duplex auto
speed auto

ip nat inside source route-map ISP1 interface FastEthernet0/0/1 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1/0 overload

ip access-list extended acl_internet
deny ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended acl_natisp1
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended acl_natisp2
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any

ip sla 1
icmp-echo 50.x.x.x
threshold 500
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 162.x.x.x
threshold 500
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now

route-map PBR permit 10
match ip address acl_natisp1
set ip next-hop verify-availability 50.x.x.x 1 track 10
!
route-map PBR permit 20
match ip address acl_natisp2
set ip next-hop verify-availability 162.x.x.x 2 track 20
!
route-map ISP2 permit 20
match ip address acl_internet
match interface FastEthernet0/1/0
!
route-map ISP1 permit 10
match ip address acl_internet
match interface FastEthernet0/0/1

If you actually have a Gigabit Internet circuit then the hardware you have is not going to do meet your new requirements.

Ideally you want a layer 3 switch to route between the internal VLANs.  This can do it at line rate.

Then use something like a Cisco 4451 to do the Internet circuit and PBR.  You'll want the HSEC and probably the AppX licence as well.

i have Fastethernet for Internet and Gigabit for Intranet (Vlans) on router. I have WS-3560G as core switch, can i do shaping on core switch and VOIP QoS on router?

This should make it easy.  Do all the routing for the VLANs on the 3560.  Don't do it on the router.

Use the router only for the Internet circuit, and do the shaping on the port to the Internet.

hmm, i have to think about it, it is critical production environment. any suggestion how to move Vlans from router to switch? and any recommended stackable switch to replace 3560. 

i wanted to update you, if i remove shaping and copy data from other vlan then router CPU goes to 90%. it is normal? or there is something wrong with IOS?

Cisco 3850's are great stackable switches.

The current 3845 you are using is struggling to keep up with the laod you are already giving it.  Yes I could believe it running at 90% CPU load based on what you have said.

The design isn't correct.  The VLANs should really be routed on a L3 switch, not the router.